OPINION

Fast and Furious - 2

Speed and safety on the WiFi highway. How travellers can evade hotel hacking and zombies.

by Vijay Verghese/ Editor

JUMP TO Current columns

Yes, you could get hacked anywhere via a WiFi scam

AS I PLUGGED into the free WiFi at my Bangkok hotel, a sign popped up prompting me to re-key in my Yahoo details to access my mail. I thought nothing of it and did as instructed. Yahoo has a terrible habit of ringing alarm bells every time I log-on from a different computer, or country, which is often. And, each time, it has asked me to change my password as a security precaution, exhausting my imagination and severely taxing my memory. But when the message flashed up a second time, I sensed a scam might be afoot. It was too late. My e-mail had been compromised, as I found out later.

Hotel cyber break-ins are not uncommon. In late 2014, Russian cyber sleuth Kaspersky Labs announced the discovery of the ‘Darkhotel’ corporate espionage campaign, targeting high value business travellers at top-drawer Asian hotels. Kaspersky says, “Darkhotel has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.” This is as brilliant, as it is Machiavellian. Most of the activity has been concentrated in Japan, South Korea, China and Russia.

Send us your Feedback / Letter to the Editor

The way it works is simple. After the hotel guest establishes a WiFi connection, he gets sent an innocuous alert for updates to Windows or other common software. These are the kinds of alerts that pop up all the time. But proceeding with the update in this case installs a ‘backdoor’ on your laptop enabling criminals to mine your keystrokes and access saved passwords and credit card data. After the information is extracted, Darkhotel methodically wipes its tracks and deletes the backdoor. It never existed.

This is a more sophisticated version of the common ploy whereby a traveller is conned into logging onto an enticingly free hotspot that is in fact being controlled by someone else’s computer. This sort of scam usually happens in close proximity to frequently visited coffee shops, malls, and airports, where anyone with a laptop and the right knowhow can set up a fake hot spot, to ensure all your data passes through his computer en route to the network. This kind of phishing is referred to as a ‘man-in-the-middle’ attack.

{The update in this case installs a ‘backdoor’ on your laptop enabling criminals to mine your keystrokes and access credit card data....

Television channel NBC recently invited a security expert to run a test in New York employing fake free WiFi zones.  Within minutes, 391 people were connected at JFK, and a further 768 in Brooklyn. Over three days, 2,341 people strolling around Manhattan had signed up. Interestingly, another 109 people signed up in the first day for 24-hour paid access at a rate of US$2, in the process handing over all their credit card details.

In a WiFi hijacking scenario, at minimum you are set to lose your passwords and credit card data, while at worst, you may have malware fed into your laptop to turn it into a ‘zombie’ operating remotely at the behest of a distant master. Your trusted laptop with all your gooey photos of junior dribbling can be woken up at any time to join an army of zombies to attack a company, a network, or an entire country – as happened with Estonia in May 2007. Russia was blamed for that cyber attack.

Another form of entrapment is at trade shows and exhibitions where distracted participants expect free WiFi and, all too easily, in between muscling around cartloads of brochures and swag, log on to a fraudulent network. Nor is it safe to log-in to third-party sites using your Facebook password as this actually gives that company complete access to all your blushing details - passwords too. Hotels are often under pressure by service providers to allow a FB sign-in. Watch out for this.

The advice then is simple. Don’t pay for hotspots and be wary of free WiFi. Never divulge credit card details or anything sensitive in such situations. Never connect to a peer-to-peer (P2P) network, switch off any auto-connect functions, turn off your file sharing, and view software updates with extreme suspicion. Most sensibly, avoid opening any attachments that you are not entirely sure about, especially via non-specific e-mails from friends saying, “Hey, check this out,” and so on.

The other problem on the road is data speed. Many hotels now offer free but painfully sluggish WiFi, encouraging guests to upgrade to faster paid Internet packages. Fortunately, it is relatively simple to measure speed and travellers can try their luck at Hotel WiFi Test. The site runs several network speed snapshots of hotels around the world. Pick your destination and check if your hotel is listed. The information may not be entirely current but it offers an interesting benchmark.

How do hotels in Asia compare? Okura Prestige Bangkok serves up a network speed of 12.9mbps (megabits per second), the playful Sofitel So Bangkok 11.4mbps, while Four Points by Sheraton Bangkok grinds on with paid WiFi speeds of just 4.7mbps.

In Hong Kong where everything operates at breakneck pace, the Cosmopolitan Hotel has free WiFi at 43.5mbps, with the Renaissance Hong Kong Harbour View Hotel providing a modest but meaty 18.6mbps. Four Seasons Hong Kong delivers 19.5mbps, with the trendy art boutique hotel J Plus Hotel by Yoo dishing out a frustrating, if free, 5.1mbps.

Marina Bay Sands Singapore has free WiFi at a blazing 56.2mbps, with Shangri-La Singapore weighing in at 23.8mbps, The Fullerton at a decent 29.1mbps (free), and the swish St Regis Singapore dragging its heels at 4.2mbps (free). Compare this with a data speed of 32.2mbps at the Imperial Hotel Tokyo and 27.7mbps (free) at Park Hyatt Tokyo.

Sayonara.

Send us your Feedback / Letter to the Editor

▲ top